Merge pull request #16540 from poettering/acl-fix

two ACL handling fixes
2020-07-22 10:34:12 +02:00 · 2020-07-22 10:34:12 +02:00 · b876b07812
parent 002674387c d81be4e752
commit b876b07812
2 changed files with 14 additions and 28 deletions
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@ -177,38 +177,18 @@ static uint64_t storage_size_max(void) {
 static int fix_acl(int fd, uid_t uid) {

 #if HAVE_ACL
-        _cleanup_(acl_freep) acl_t acl = NULL;
-        acl_entry_t entry;
-        acl_permset_t permset;
        int r;

        assert(fd >= 0);
+        assert(uid_is_valid(uid));

        if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
                return 0;

-        /* Make sure normal users can read (but not write or delete)
-         * their own coredumps */
-
-        acl = acl_get_fd(fd);
-        if (!acl)
-                return log_error_errno(errno, "Failed to get ACL: %m");
-
-        if (acl_create_entry(&acl, &entry) < 0 ||
-            acl_set_tag_type(entry, ACL_USER) < 0 ||
-            acl_set_qualifier(entry, &uid) < 0)
-                return log_error_errno(errno, "Failed to patch ACL: %m");
-
-        if (acl_get_permset(entry, &permset) < 0 ||
-            acl_add_perm(permset, ACL_READ) < 0)
-                return log_warning_errno(errno, "Failed to patch ACL: %m");
-
-        r = calc_acl_mask_if_needed(&acl);
+        /* Make sure normal users can read (but not write or delete) their own coredumps */
+        r = add_acls_for_user(fd, uid);
        if (r < 0)
-                return log_warning_errno(r, "Failed to patch ACL: %m");
-
-        if (acl_set_fd(fd, acl) < 0)
-                return log_error_errno(errno, "Failed to apply ACL: %m");
+                return log_error_errno(r, "Failed to adjust ACL of coredump: %m");
 #endif

        return 0;
--- a/src/shared/acl-util.c
+++ b/src/shared/acl-util.c
@ -378,10 +378,13 @@ int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {

 int add_acls_for_user(int fd, uid_t uid) {
        _cleanup_(acl_freep) acl_t acl = NULL;
-        acl_entry_t entry;
        acl_permset_t permset;
+        acl_entry_t entry;
        int r;

+        assert(fd >= 0);
+        assert(uid_is_valid(uid));
+
        acl = acl_get_fd(fd);
        if (!acl)
                return -errno;
@ -394,8 +397,8 @@ int add_acls_for_user(int fd, uid_t uid) {
                        return -errno;
        }

-        /* We do not recalculate the mask unconditionally here,
-         * so that the fchmod() mask above stays intact. */
+        /* We do not recalculate the mask unconditionally here, so that the fchmod() mask above stays
+         * intact. */
        if (acl_get_permset(entry, &permset) < 0 ||
            acl_add_perm(permset, ACL_READ) < 0)
                return -errno;
@ -404,5 +407,8 @@ int add_acls_for_user(int fd, uid_t uid) {
        if (r < 0)
                return r;

-        return acl_set_fd(fd, acl);
+        if (acl_set_fd(fd, acl) < 0)
+                return -errno;
+
+        return 0;
 }